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PRELIMINARY AMENDMENT AND 
37 C.F.R. § 1.125 SUBSTITUTE SPECIFICATION STATEMENT 

SIR: 

Please amend without prejudice the above-identified application before examination, 
as set forth below. 

IN THE TITLE : 

Please replace the title with the following: 
-METHOD FOR GENERATING/REGENERATING AN ENCRYPTION KEY FOR A 
CRYPTOGRAPHIC METHOD--. 

IN THE SPECIFICATION AND ABSTRACT : 

In accordance with 37 C.F.R. § 1.121(b)(3), a Substitute Specification (including the 
Abstract, but without claims) accompanies this response. It is respectfully requested that the 
Substitute Specification (including Abstract) be entered to replace the Specification of record. 



444121V1 



IN THE CLAIMS : 

Without prejudice, please cancel original claims 1 to 8 in the original application and 
please add new claims 9 to 16 as follows: 

9. (New) A method for at least one of generating and regenerating an encryption key for a 
cryptographic method, comprising: 

generating a seed S, the seed S being a large random number, only on a side of a user 
by consulting at least one quantity u known only to the user, the encryption key C and a 
public key U being generated from the seed S by using at least one predefined deterministic 
method; 

generating a regeneration information R on the side of the user to regenerate the seed S 
and from which the seed S may be derived deterministically by a trust center by linking only 
to a secret information v known to the trust center; 

storing the regeneration information R so that the regeneration information R is 
secured against loss, 

wherein if the encryption key C is unavailable then the seed S is reconstructable by the 
trust center by linking the regeneration information to the secret information v. 

10. (New) The method of claim 9, further comprising providing a key agreement mapping k: 
k(x,y)=z, and wherein: 

a) k(k(u,v),w) = k(k(u,w),v) for all u,v,w; 

b) from the knowledge of u and k(u,v), v cannot be inferred; 

c) from the knowledge of u, k(u,v) and k(u,w), k(k(u,w)v) cannot be inferred; 
wherein a public parameter g known to the trust center and a secret key v available at 

the trust center are linked to a public key V=k(g,v) of the trust center; 

wherein the public key V and the at least one quantity u selected on the user side are 
linked on the user side to the seed S=k(V,u); 

wherein a key pair made up of an encryption key C and a public user key U is derived 
from seed S on the user side using the at least one predefined deterministic method; and 

wherein to reconstruct the key pair of the encryption key C and the public user key U, 
the regeneration information R^k(g,u) is generated on the user side and is stored so as 
to be protected against loss. 
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1 1 . (New) The method of claim 9, further comprising providing a key agreement mapping k 
which is a discrete exponential function modulo a large prime number p: k(x,y) := x y modulo 
p, and providing that a public parameter g is an element of a mathematical field GF(p) of a 
high multiplicative power. 

12. (New) The method of claim 9, further comprising providing a key agreement mapping k 
which is a multiplication on an elliptic curve. 

13. (New) The method of claim 9, wherein the trust center calculates the seed S=(R,v) from 
the regeneration information R so as to reconstruct the encryption key C. 

14. (New) The method of claim 9, further comprising deriving a new public key U and a 
new encryption key C when the seed S is calculated, due to loss of at least one of the 
encryption key C and the public key U; and 

verifying by the trust center whether the new public key U is identical to the prior 
public key U, 

wherein when verified that the new public key U is identical to the prior public key U 
then providing a reconstructed encryption key C to the user. 

15. (New) The method of claim 10, further comprising providing a plurality of trust centers 
which employ the key agreement mapping k and the public parameter g; 

selecting at least one of the plurality of trust centers, so that each of the selected trust 
centers assist in generating a partial seed Sv of the seed S being generated on the side of the 
user and the partial seed Sv being linked on the side of the user to the seed S, in generating 
the encryption key C; 

calculating by the selected trust centers their respective partial seed Sv of the seed S 
using the regeneration information R, to regenerate the encryption key C in the case of loss; 

reconstructing the encryption key C by linking in combination with each other the 
respective reconstructed partial seed Sv of each respective selected trust center. 

1 6. (New) The method of claim 1 5, wherein the trust center and the plurality of trust centers 
each use at least one of a respective different function kv and a respective different public 
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parameter gv to create a separate regeneration information Rv for each of the trust centers 
selected. 

REMARKS 

This Preliminary Amendment cancels without prejudice original claims 1 to 8 in the 
underlying PCT Application No. PCT/EP00/06387, and adds without prejudice new claims 9 
to 16. The new claims conform the claims to U.S. Patent and Trademark Office rules and do 
not add new matter to the application. 

In accordance with 37 C.F.R. § 1.121(b)(3), the Substitute Specification (including the 
Abstract, but without the claims) contains no new matter. The amendments reflected in the 
Substitute Specification (including Abstract) are to conform the Specification and Abstract to 
U.S. Patent and Trademark Office rules or to correct informalities. As required by 37 C.F.R. 
§ 1.121(b)(3)(m) and § 1.125(b)(2), a Marked Up Version Of The Substitute Specification 
comparing the Specification of record and the Substitute Specification also accompanies this 
Preliminary Amendment. In the Marked Up Version, double-underlining indicates added text 
and bracketing indicates deleted text. Approval and entry of the Substitute Specification 
(including Abstract) is respectfully requested. 

The underlying PCT Application No. PCT/EP00/06387 includes an International 
Search Report, dated December 13, 2000. The Search Report includes a list of documents 
that were uncovered in the underlying PCT Application. A copy of the Search Report 
accompanies this Preliminary Amendment. 

The underlying PCT Application No. PCT/EP00/06387 also includes an International 
Preliminary Examination Report, dated December 7, 2001 . An English translation of the 
International Preliminary Examination Report accompanies this Preliminary Amendment. 
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Applicant asserts that the subject matter of the present application is new, non- 
obvious, and useful. Prompt consideration and allowance of the application are respectfully 
requested. 



Respectfully Submitted, 
KENYON & KENYON 



Richard L. Mayer 
(Reg. No. 22,490) 

One Broadway 
New York, NY 10004 
(212) 425-7200 (telephone) 
(212) 425-5288 (facsimile) 

CUSTOMER NO. 26646 





Dated: 
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METHOD FOR GENERATING /REGENERATING 
AN ENCRYPTION KEY FOR A CRYPTOGRAPHIC METHOD 



The present invention is directed to a method for 
generating/regenerating an encryption key for a 
cryptographic method, the encryption key, as well as a 
public key being generated using a predefined 
deterministic method, from a large random number (seed) 



It is becoming more and more popular to employ the 
cryptographic technique of encryption to secure 
communications data and stored data. In this context, the 
10 data are enciphered under the control of a cryptographic 

key. The data can also be deciphered again using the same 
key. Marketable products and software libraries are 
available for this purpose. 

15 In encryption operations, a so-called hybrid method is 

mostly used. In this method, the actual message is 
encrypted using a randomly selected symmetric key 
(session key) and a preselected symmetric encryption 
method (e.g., DES, IDEA). The session key is then 

20 encrypted, in turn, in each case using the public key of 

the receiver (a plurality of receivers is possible) and 
using a predefined asymmetric or public key method (e.g., 
RSA, EIGamal) . The session key encrypted using this 
process is included with the encrypted message for each 

25 receiver. A description of this procedure and of the 

algorithms employed is found, for example, in William 
Stallings: "Cryptography and Network Security: Principles 
and Practice", Prentice Hall, Upper Saddle River, New 
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Jersey, 1998. 



To decode a received message, the receiver must first 
decipher the session key using his/her private key, which 
5 belongs to his/her public key, and a preselected public 

key algorithm, to then decrypt the message using this 
session key. 

Besides encrypting messages, cryptographic methods are 
0 also used to encrypt stored data, e.g., on one's own 

personal computer. Here as well, one typically employs a 
hybrid method, where the user first encrypts the data 
using a randomly selected symmetric key (session key) and 
a predefined symmetric encryption method (e.g., DES, 
5 IDEA) . The session key is then encrypted, in turn, using 

the user's public key and a preselected asymmetric or 
public key method (e.g., RSA, EIGamal) . 

Using his/her private key, which belongs to his/her 
0 public key, and the predefined public key algorithm, the 

user first encrypts the session key and then, using this 
session key, the stored data. 

In the following, the term "encryption key" is used in 
5 each case to refer to the user's, i.e., the receiver's 

private key. 

The encryption key is either stored on a smart card, 
access to the smart card being protected by a personal 
0 identification number (PIN) known only to the user, or it 

is stored on another storage medium (for example, a hard 
disk or diskette), in which case it is preferably 
protected by a long password. 
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It can happen that the encryption key is lost. For 
example, if the storage medium where it was located is 
destroyed, or if the user forgets the PIN number or the 
password which he/she used to secure the encryption key, 
then it is no longer possible to use it to access the 
encrypted data. 

To be able to make encrypted data accessible again in the 
event the encryption key is lost, mechanisms are needed 
to enable the encryption key to be regenerated in a 
secure manner. For this purpose, the encryption key is 
typically generated nowadays at a trust center and 
securely stored. As a rule, the encryption key is 
produced by initially generating a large random number 
(seed) using a statistically valid random process. From 
this random number, the key pair made up of the public 
key/private key is then generated with the aid of a 
deterministic method. This seed is subsequently deleted. 
If necessary, a copy of his/her encryption key is then 
delivered to the user for use. 

In the process, the user does not have any influence on 
how his/her encryption key is generated and stored. 
Moreover, it is expensive to transport the generated 
encryption key to the user in a secure manner. As a 
transport medium, nowadays, one uses, for example, the 
above-mentioned smart card, which is sent to the user. 
Also, one cannot rule out a misuse of the stored key by 
the trust center, or one's own key becoming known due to 
a malfunction in the described procedure at the trust 
center . 

The object of the present invention is to provide a 
method of the type mentioned at the outset which will 
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overcome the above-mentioned disadvantages. In 
particular, the method intends to leave it solely up to 
the user to decide whether a key should be reconstructed. 

The idea underlying the method proposed here to achieve 
the objective is that the need for storing the encryption 
key for security purposes at the trust center may be 
eliminated when the seed (S) is only generated on the 
user side, in that quantities (u) known only to the user 
are consulted; that regeneration information (R) , which 
is suitable for regenerating the seed and from which the 
seed is able to be derived determinist ically by the trust 
center by linking only to information (v) known to it, is 
generated on the user side and is stored so as to be 
secured against lost; and that, in the event of loss of 
encryption key (C) , seed (S) is reconstructed by the 
trust center by linking regeneration information (R) to 
secret information (v) . 

This may be implemented in a first embodiment of the 
present invention in that a mathematical mapping (key 
agreement mapping) k: 

k(x,y)=z is provided, for which it holds that: 

a) k(k(u,v),w) = k(k(u,w),v) for all u,v,w; 

b) from the knowledge of u and k(u,v), in practice, one 
cannot infer v; 

c) from the knowledge of u, k(u,v) and k(u,w), in 
practice, one cannot infer k(k(u,w)v); 

that a public parameter g known to the trust center and a 
secret key v available at the trust center are linked to 
a public key V=k(g,v) of the trust center; 
that public key V and a random number u selected on the 
user side are linked on the user side to seed S=k(V,u); 
that a key pair made up of encryption key C and public 
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user key U is derived from seed S on the user side using 
the predefined deterministic method; and 

that to render possible the reconstruction of this key 
pair U and C, regeneration information R=k(g,u) is 
5 generated on the user side and is stored so as to be 

protected against loss. 

Once regeneration information R is generated, random 
number u and seed S should again be destroyed for 
security reasons. Regeneration information R is generated 
under tap-proof conditions, for example within the 
user-side computer terminal, so that there is no chance 
of random number u or of seed S falling into the hands of 
the public. Without knowledge of secret key v, 
regeneration information R, by itself, is not suitable 
for deciphering messages and data and, therefore, does 
not need to be kept secret . 

Regeneration information R may be stored at any location 
20 (for example on paper) and, when needed, be sent over any 

tappable route (mail, e-mail, WWW, ftp, ...) to the trust 
center . 

Examples of suitable key agreement mappings k are known 
from the theory of numbers. Provision may be made, for 

25 example, for key agreement mapping k to be a discrete 

exponential function modulo a large prime number p: 
k(x,y) := x y modulo p, and for public parameter g to be an 
element of a mathematical field GF(p) of a high 
multiplicative power, or for key agreement mapping k to 

30 be the multiplication on an elliptic curve. In practice, 

one should select the order of magnitude of the numbers 
used such that, even by summoning up modern technical 
means, it is impossible to calculate value y from values 
x and k(x,y), which, presupposing today's deciphering 
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technology, is ensured at orders of magnitude of the 
prime numbers used of between 500 and 1000 bits. 

A description of such functions may be found in William 
5 Stallings: "Cryptography and Network Security: Principles 

and Practice", Prentice Hall, Upper Saddle River, New 
Jersey, 1998. The present invention makes use of the 
Dif f ie-Hellman key exchange principle, which is likewise 
described in the mentioned work. As described above, 
10 however, the method of the present invention presupposes 

a trust center, which, if needed, is able to regenerate 
encryption key C with the aid of regeneration information 
R. 

15 In a further embodiment of the present invention, to 

reconstruct encryption key C in the event of a loss, seed 
S=k(R,v) may be calculated by the trust center from 
regeneration information R. The lost encryption key C is, 
itself, able to be calculated from the thus reconstructed 

20 seed S using the deterministic method. 

Due to the property of mapping k which is used, it holds 
that k(R,v) = k(k(g,u),v) = k(k(g,v),u) = k(V,u) = S, 
which actually corresponds, again, to original seed S. 

25 Since the deterministic method is likewise known to the 

trust center, using regeneration information R, the trust 
center is able to readily reproduce encryption key C, 
even without knowledge of random number u. The 
regenerated encryption key C must then be relayed to the 

30 user over a tap-proof channel. 

To prevent the method of the present invention from being 
misused to obtain private encryption keys C belonging to 
others, provision may also be made, once seed S is 
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calculated and the user's new public key U and the new 
encryption key C are derived due to the loss of a key, 
for the trust center to verify whether the newly 
calculated public key U is identical to the user's 
original public key U, and for reconstructed encryption 
key C to only be handed over to the user when this is 
conclusive. A method for securely linking the user's 
identity to his/her public key U is known from ITU 
standard X. 509. 

Another embodiment of the method provides for there to be 
a plurality of trust centers which employ key agreement 
mapping k and public parameter g. In generating 
encryption key C, one or more of these trust centers is 
selected, with the aid of each of the selected trust 
centers, another fraction value Sv of the seed being 
generated on the user side, as described, and partial 
seed Sv being linked on the user side to seed S. To 
regenerate encryption key C in the case of loss, the 
selected trust centers calculate their respective 
fraction value Sv of seed S using regeneration 
information R. To reconstruct encryption key C, the 
reconstructed fraction values Sv are linked, in 
combination with one another, to seed S. The procedure 
can prevent a trust center from misusing the method, 
since each trust center is able to generate only one 
partial seed Sv which, by itself, is unusable. 

Another embodiment of the method provides for the various 
trust centers to use different functions kv and/or 
different public parameters gv, and for separate 
regeneration information Rv to be created for each of the 
selected trust centers. In such a case, the user must 
implement the method of the present invention for each 
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trust center, and each trust center must generate its 
particular partial seed Sv using its specific 
regeneration information Rv. 

5 Exemplary embodiments of the present invention are 

represented by several figures in the drawing and are 
elucidated in the following description. The figures 
show : 

10 Figure 1 a flow chart for generating a key part specific 

to a user; and 

Figure 2 a flow chart for reconstructing the encryption 
key, following a loss. 

15 

Identical or corresponding parts are provided with the 
same reference numerals in the figures. 

Figure 1 shows a time-related flow chart of the processes 
20 required for generating a reconst ructable , user-specific 

encryption key C and public user key U in accordance with 
the method of the present invention. In the column 
denoted by N, the user-side data occurring one after 
another are listed from top to bottom. U designates the 
25 data transmission link to a trust center V. Trust center 

V and user N have public parameter g and large prime 
number p. Public key V = g v modulo p is generated by trust 
center V and transmitted by simple channels to user N. In 
response thereto, the user, using a random number u that 
30 he/she selects, generates a seed S and regeneration 

information R and again erases random number u for 
security reasons. Regeneration information G is 
transmitted to trust center V. By applying a predefined 
deterministic method known to the user and the trust 
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center, a public user key U, as well as a private, 
likewise user-specific encryption key C is generated from 
seed S. Encryption key C is used here for decrypting 
messages or data from the user. 

5 

In the case that the encryption key is lost, the trust 
center, as shown in Figure 2, regenerates seed S and 
encryption key C from regeneration information R, 
transmitted by the user to the trust center, by linking 
0 to secret key v and communicates it by secure channels to 

the user. 
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What is claimed is: 

1. A method for generating/regenerating an encryption 
key for a cryptographic method, the encryption key, 
as well as a public key being generated using a 
predefined deterministic method, from a large random 
number ( seed) , 

wherein the seed (S) is only generated on the user 
side, in that quantities (u) known only to the user 
are consulted; that regeneration information (R) , 
which is suitable for regenerating the seed and from 
which the seed is able to be derived 
deterministically by the trust center by linking 
only to information (v) known to it, is generated on 
the user side and is stored so as to be secured 
against lost; and that, in the event of loss of the 
encryption key (C) , the seed (S) is reconstructed by 
the trust center by linking the regeneration 
information (R) to the secret information (v) . 

2. The method as recited in Claim 1, 

wherein a mathematical mapping (key agreement 
mapping) k: k(x,y)=z is provided, for which it holds 
that : 

a) k(k(u,v),w) = k(k(u,w),v) for all u,v,w; 

b) from the knowledge of u and k(u,v), in 
practice, one cannot infer v; 

c) from the knowledge of u, k(u,v) and k{u,w), in 
practice, one cannot infer k(k(u,w)v); 

that a public parameter g known to the trust center 
and a secret key v available at the trust center are 
linked to a public key V=k(g,v) of the trust center; 
that the public key V and a random number u selected 
on the user side are linked on the user side to the 
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seed S=k (V, u) ; 

that the key pair made up of encryption key C and 
public user key U is derived from seed S on the user 
side using the predefined deterministic method; 
and that to render possible the reconstruction of 
this key pair U and C, the regeneration information 
R=k(g,u) is generated on the user side and is stored 
so as to be protected against loss. 

The method as recited in one of the preceding 
claims, 

wherein the key agreement mapping k is a discrete 
exponential function modulo a large prime number 
p: k(x,y) := x y modulo p, and that the public 
parameter g is an element of a mathematical field 
GF(p) of a high multiplicative power. 

The method as recited in one of the Claims 1 or 2, 
wherein the key agreement mapping k is the 
multiplication on an elliptic curve. 

The method as recited in one of the preceding 
claims , 

wherein to reconstruct the encryption key C in the 
event of a loss, the seed S=k(R,v) is calculated by 
the trust center from the regeneration information 
R. 

The method as recited in one of the preceding 
claims , 

wherein, once the seed S is calculated and the 
user's new public key U and the new encryption key C 
are derived due to the loss of a key, the trust 
center verifies whether the newly calculated public 
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key U is identical to the user's original public key 
U, and the reconstructed encryption key C is only be 
handed over to the user when this is conclusive. 

7. The method as recited in one of the preceding 
claims, 

wherein there is a plurality of trust centers which 
employ the key agreement mapping k and the public 
parameter g. In generating the encryption key C, one 
or more of these trust centers is selected, with the 
aid of each of the selected trust centers, another 
fraction value Sv of the seed being generated on the 
user side, as described, and the partial seed Sv 
being linked on the user side to the seed S. To 
regenerate the encryption key C in the case of loss, 
the selected trust centers calculate their 
respective fraction value Sv of the seed S using the 
regeneration information R. The reconstructed 
fraction values Sv are linked, in combination with 
one another, to the seed S to reconstruct the 
encryption key C. 

8. The method as recited in Claim 7, 

wherein the various trust centers use different 
functions kv and/or different public parameters gv, 
and separate regeneration information Rv is created 
for each of the selected trust centers. 
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Abstract 

In a method for generating/regenerating an encryption key 
for a cryptographic method, the encryption key, as well 
as a public key being generated using a predefined 
deterministic method, from a large random number (seed), 
the seed is only generated on the user side, in that 
quantities known only to the user are consulted. 
Regeneration information (R) , which is suitable for 
regenerating the seed and from which the seed is able to 
be derived determinist ically by the trust center by 
linking only to information known to it, is generated on 
the user side and is stored so as to be secured against 
lost. In the event of loss of the encryption key, the 
seed is reconstructed by the trust center by linking the 
regeneration information to the secret information. 
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METHOD FOR GENERATING /REGENERATING 
AN ENCRYPTION KEY FOR A CRYPTOGRAPHIC METHOD 



FIELD OF THE INVENTION 

The present invention relates to a method for generating 
and/or regenerating an encryption key for a cryptographic 
method. Specifically, the present invention relates to 
5 providing and using the encryption key, as well as a public 

key being generated using a predefined deterministic method, 
from a large random number (seed) . 

BACKGROUND INFORMATION 

10 The cryptographic technique of encryption to secure 

communications data and stored data appears to be employed 
more often. In this context, the data are enciphered (or 
encrypted) under the control of a cryptographic key. The 
data can also be deciphered again using the same key. 

15 Marketable products and software libraries may be available 

for this purpose. 

In encryption operations, a so-called hybrid method may be 
used. In this method, the actual message is encrypted using 

20 a randomly selected symmetric key or session key and a 

preselected symmetric encryption method, e.g., Data 
Encryption Standard (DES) and/or International Data 
Encryption Algorithm ( IDEA) . The session key is then 
encrypted, in turn, in each case using the public key of the 

25 receiver (a plurality of receivers may be involved) and 
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using a predefined asymmetric or public key method, e.g., 
Rivest, Shamir, Adleman code (RSA) and/or EIGamal (a public 
key encryption algorithm) . The session key encrypted using 
this process is included with the encrypted message for each 
5 receiver. The reference "Cryptography and Network Security: 

Principles and Practice", by William Stallings, Prentice 
Hall, Upper Saddle River, New Jersey, 1998, appears discuss 
this procedure and the algorithms employed. 

10 To decode a received message, the receiver must first 

decipher the session key using his/her private key, which 
belongs to his/her public key, and a preselected public key 
algorithm, to then decrypt the message using this session 
key. 

15 

Besides encrypting messages, cryptographic methods may also 
be used to encrypt stored data, e.g., on one's own personal 
computer. Here as well, one may employ a hybrid method, 
where the user first encrypts the data using a randomly 
20 selected symmetric key or session key and a predefined 

symmetric encryption method, e.g., DES and/or IDEA. The 
session key is then encrypted, in turn, using the user's 
public key and a preselected asymmetric or public key 
method, e.g., RSA and/or EIGamal. 



25 



Using his/her private key, which belongs to his/her public 
key, and the predefined public key algorithm, the user first 
encrypts the session key and then, using this session key, 
the stored data. 



30 
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In the following, the term "encryption key" is used in each 
case to refer to the user's, i.e., the receiver's, private 
key . 

5 The encryption key is either stored on a smart card, access 

to the smart card being protected by a personal 
identification number (PIN) known only to the user, or it is 
stored on another storage medium (for example, a hard disk 
or diskette), in which case it is preferably protected by a 

0 long password. 

It can happen that the encryption key is lost. For example, 
if the storage medium where it was located is destroyed, or 
if the user forgets the PIN number or the password which 
5 he/she used to secure the encryption key, then it is no 

longer possible to use it to access the encrypted data. 

To be able to make encrypted data accessible again in the 
event the encryption key is lost, mechanisms are needed to 

0 enable the encryption key to be regenerated in a secure 

manner. For this purpose, the encryption key is typically 
generated nowadays at a trust center or trustee or 
confidential, central location and securely stored. As a 
rule, the encryption key is produced by initially generating 

5 a large random number (seed) using a statistically valid 

random process. From this random number, the key pair made 
up of the public key/private key is then generated with the 
aid of a deterministic method. This seed is subsequently 
deleted. If necessary, a copy of his/her encryption key is 

\0 then delivered to the user for use. 
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In the process, the user does not have any influence on how 
his/her encryption key is generated and stored. Moreover, it 
is expensive to transport the generated encryption key to 
the user in a secure manner. As a transport medium, 
nowadays, one uses, for example, the above-mentioned smart 
card, which is sent to the user. Further, there is a danger 
of misuse of the stored key by the trust center, or one's 
own key becoming publicly known due to a malfunction by the 
trust center and/or in the procedure. 



SUMMARY OF THE INVENTION 

Exemplary embodiments of the present invention are directed 
to providing a method of the type mentioned at the outset 
which may leave it solely up to the user to decide whether 
an encryption key should be reconstructed. 



Exemplary embodiments of the present invention are further 
directed to eliminating a need for storing the encryption 
key for security purposes at the trust center by effecting 
that when the seed (S) is only generated on the user side, 
in that quantities (u) known only to the user are consulted; 
that regeneration information (R) , which is suitable for 
regenerating the seed and from which the seed is able to be 
derived determinist ically by the trust center by linking 
only to (or concatenating or combining with) information (v) 
known to it, is generated on the user side and is stored so 
as to be secured against lost; and that, in the event of 
loss of encryption key (C) , seed (S) is reconstructed by the 
trust center by linking regeneration information (R) to 
secret information (v) . 
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This may be implemented in exemplary embodiments of the 
present invention in that a mathematical mapping (key 
agreement mapping) k: 

k(x,y)=z is provided, for which it holds that: 
5 a) k(k(u,v),w) = k(k(u,w),v) for all u,v,w; 

b) from the knowledge of u and k(u,v), in practice, one 
cannot infer v; 

c) from the knowledge of u, k(u,v) and k(u,w), in 
practice, one cannot infer k(k(u,w)v); 

10 that a public parameter g known to the trust center and a 

secret key v available at the trust center are linked to a 
public key V=k(g,v) of the trust center; 

that public key V and a random number u selected on the user 
side are linked on the user side to seed S=k(V,u); 
15 that a key pair made up of encryption key C and public user 

key U is derived from seed S on the user side using the 
predefined deterministic method; and 

that to render possible the reconstruction of this key pair 
U and C, regeneration information R=k(g,u) is generated on 
20 the user side and is stored so as to be protected against 

loss . 

In a further exemplary embodiment of the present invention, 
once regeneration information R is generated, random number 

25 u and seed S should again be destroyed for security reasons. 

Regeneration information R may be generated under tap-proof 
conditions, for example, within the user-side computer 
terminal, so that there is no chance of random number u or 
of seed S falling into the hands of the public. Without 

30 knowledge of secret key v, regeneration information R, by 
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itself, may not be suitable for deciphering messages and 
data and, therefore, does not need to be kept secret. 

Regeneration information R may be stored at any location, 
5 for example, on paper, and then when needed be sent or 

transmitted over any tappable route, for example, mail, e- 
mail, www or internet, ftp, etc., to the trust center. 

Examples of suitable key agreement mappings k include those 
10 available from the theory of numbers. Provision may be made, 

for example, for key agreement mapping k to be a discrete 
exponential function modulo a large prime number p: k(x,y):= 
x y modulo p, and for public parameter g to be an element of 
a mathematical field GF(p) of a high multiplicative power, 
15 or for key agreement mapping k to be the multiplication on 

an elliptic curve. In practice, in a further exemplary 
embodiment of the present invention, one should select the 
order of magnitude of the numbers used such that, even by 
summoning up modern technical means, it may be impossible to 
20 calculate value y from values x and k(x,y), which, 

presupposing today's deciphering technology, is ensured at 
orders of magnitude of the prime numbers used of between 500 
and 1000 bits. 

25 The reference "Cryptography and Network Security: Principles 

and Practice", by William Stallings, Prentice Hall, Upper 
Saddle River, New Jersey, 1998, appears to discuss such 
formulations, including the Dif f ie-Hellman key exchange 
principle . 

30 
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The present invention makes use of the Dif f ie-Hellman key 
exchange principle. Exemplary embodiments of the method of 
the present invention presupposes a trust center, which, if 
needed, is able to regenerate encryption key C with the aid 
5 of regeneration information R. 

In further exemplary embodiments of the present invention, 
to reconstruct encryption key C in the event of a loss, seed 
S=k(R,v) may be calculated by the trust center from 
10 regeneration information R. The lost encryption key C is, 

itself, able to be calculated from the thus reconstructed 
seed S using the deterministic method. 

Due to the property of mapping k which is used, it holds 
15 that k(R,v) = k(k(g,u),v) = k(k(g,v),u) - k(V,u) = S, which 

actually corresponds, again, to original seed S. Since the 
deterministic method may be available to be known to the 
trust center, using regeneration information R, the trust 
center can be able to readily reproduce encryption key C, 
20 even without knowledge of random number u. The regenerated 

encryption key C should then be relayed to the user over a 
tap-proof channel or route. 

In a further exemplary embodiment of the present invention, 
25 to prevent the method of the present invention from being 

misused to obtain private encryption keys C belonging to 
others, provision may also be made, once seed S is 
calculated and the user's new public key U and the new 
encryption key C are derived due to the loss of a key, for 
30 the trust center to verify whether the newly calculated 
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public key U is identical to the user's original public key 
U, and for reconstructed encryption key C to only be handed 
over to the user when this verification is conclusive. A 
method for securely linking the user's identity to his/her 
5 public key U is available by ITU standard X.509. 

A further exemplary embodiment of the present invention is 
directed to providing for there to be a plurality of trust 
centers which employ key agreement mapping k and public 

10 parameter g. In generating encryption key C, one or more of 

these trust centers may be selected, with the aid of each of 
the selected trust centers, another fraction value Sv of the 
seed being generated on the user side, as described, and 
partial seed Sv being linked on the user side to seed S. To 

15 regenerate encryption key C in the case of loss, the 

selected trust centers may calculate their respective 
fraction value Sv of seed S using regeneration information 
R. To reconstruct encryption key C, the reconstructed 
fraction values Sv are linked, in combination with one 

20 another, to seed S. The procedure can prevent a trust center 

from misusing the method, since each trust center is able to 
generate only one partial seed Sv which, by itself, is 
unusable . 

25 A further embodiment of the present invention is directed to 

providing for the various trust centers to use different 
functions kv and/or different public parameters gv, and for 
separate regeneration information Rv to be created for each 
of the selected trust centers. In such a case, the user must 

30 implement the method of the present invention for each trust 
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center, and each trust center must generate its particular 
partial seed Sv using its specific regeneration information 
Rv. 



5 BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 shows a flow chart for generating a key part 
specific to a user. 

Figure 2 shows a flow chart for reconstructing the 
10 encryption key, following a loss. 



DETAILED DESCRIPTION 

Figure 1 shows a time-related flow chart of the processes 
required for generating a reconstructable, user-specific 

15 encryption key C and public user key U in accordance with 

the method of the present invention. In the column denoted 
by N, the user-side data occurring one after another are 
listed from top to bottom. U designates the data 
transmission link to a trust center V. Trust center V and 

20 user N have public parameter g and large prime number p. 

Public key V = g v modulo p is generated by trust center V 
and transmitted by simple channels or means to user N. In 
response thereto, the user, using a random number u that 
he/she selects, generates a seed S and regeneration 

25 information R and again erases random number u for security 

reasons. Regeneration information G is transmitted to trust 
center V. By applying a predefined deterministic method 
known to the user and the trust center, a public user key U, 
as well as a private, likewise user-specific encryption key 

30 C is generated from seed S. Encryption key C is used here 
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for decrypting messages or data from the user. 

In the case that the encryption key is lost, the trust 
center, as shown in Figure 2, regenerates seed S and 
encryption key C from regeneration information R, 
transmitted by the user to the trust center, by linking to 
secret key v and communicates it by secure channels or other 
such means to the user. 
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WHAT IS CLAIMED IS: 



44078V1 



11 



SUBSTITUTE SPECIFICATION 



«n 3i*"ti iVii a a ■;'"*»' ««"u n*"« ^i'^'Jj h"*** ™ r si 

_JL b_J* " 3 »*• "l" ZU* d* 1 - -U l Zlli- IT," «"1T *J? 



ABSTRACT OF THE DISCLOSURE 

A method for generating/regenerating an encryption key for a 
cryptographic method including the encryption key as well as 
a public key being generated using a predefined 
deterministic method from a large random number (seed) , 
5 where the seed is only generated on the user side, and for 

which quantities available only to the user are consulted. 
Regeneration information (R) , which is suitable for 
regenerating the seed and from which the seed is able to be 
derived deterministically by the trust center by linking 
10 only to information known to it, may be generated on the 

user side and stored so as to be secured against lost. In 
the event of loss of the encryption key, the seed may be 
reconstructed by the trust center by linking the 
regeneration information to the secret information. 
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METHOD FOR GENERATING /REGENERATING 
AN ENCRYPTION KEY FOR A CRYPTOGRAPHIC METHOD 



FIELD OF THE INVENTION 

The present invention l < o::o;;q.j; relates to a method for 
'.r-u/i: 'i;y::_;> '<v. : -.7 ' generating and/or rege nerating an 
encryption key for a cryptographic method ^ Specifically , 
the pres ent invention relates to prov iding and using the 
encryption key, as well as a public key being generated 
using a predefined deterministic method, from a large random 
number (seed) . 



10 



: BACKGROUND INFORMATION 



T ^e cryptographic technique of encryption to secure 
communications data and stored data appears to be employed 
more often. In this context, the data are enciphered (or 
!5 encrypted) under the control of a cryptographic key. The 

data can also be deciphered again using the same key. 
Marketable products and software libraries -jl? >z may foe 
available for this purpose. 

20 In encryption operations, a so-called hybrid method [is 

r< : y 'may be used. In this method, the actual message is 
encrypted using a randomly selected symmetric key : or 
session key \. ' and a preselected symmetric encryption 
method ; c . n . , f^5> , - _ ^A , " , e.g.. Data Encryptio n Standard 

2 5 (PES) and/or International Data Encryption Algorithm ( IDEA) 

The session key is then encrypted, in turn, in each case 
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using the public key of the receiver (a plurality of 
receivers may be i . ?s f>- — Lb : - ; nvolved) and using a 
predefined asymmetric or public key method (f-:.^., „:sA, 
v - 1 - ■* e-cr» * Rivest, Shamir, Adleman code (RSA) and/or 
5 ElGamal (a public key encrypt ion al gorithm ) . The session key 

encrypted using this process is included with the encrypted 
message for each receiver. _;\ ucst:;: (.:•:■ ^ f : -\ ■= ^ crorvcu^ 
^ — c'ciorJrhir^. .*\tv. io;;ri ; rex cx^o.'c, 

- — — — ir.-:a : ; The reference "Cryptography and Network 
10 Security: Principles and Practice", by Willi am Stallinas. 

Prentice Hall, Upper Saddle River, New Jersey, 1998 , appears 
discuss this procedure and the algorithms employed . 

To decode a received message, the receiver must first 
15 decipher the session key using his/her private key, which 

belongs to his/her public key, and a preselected public key 
algorithm, to then decrypt the message using this session 
key . 

20 Besides encrypting messages, cryptographic methods >±r^ may 

also be used to encrypt stored data, e.g., on one's own 
personal computer. Here as well, one " : yc ' cs . v " may 
employ >_ a hybrid method, where the user first encrypts the 
data using a randomly selected symmetric key ( or session 

25 k ey ?. and a predefined symmetric encryption method : ^ 

e.g., DES , and/or IDEA > The session key is then 
encrypted, in turn, using the user's public key and a 
preselected asymmetric or public key method ; * , e.g. , 
RSA " , * and/or ElGamal ' ) ' . 



30 



Using his/her private key, which belongs to his/her public 
key, and the predefined public key algorithm, the user first 
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encrypts the session key and then, using this session key, 
the stored data. 

In the following, the term "encryption key" is used in each 
case to refer to the user's, i.e., the receiver's^ private 
key . 

The encryption key is either stored on a smart card, access 
to the smart card being protected by a personal 
identification number (PIN) known only to the user, or it is 
stored on another storage medium (for example, a hard disk 
or diskette), in which case it is preferably protected by a 
long password. 

It can happen that the encryption key is lost. For example, 
if the storage medium where it was located is destroyed, or 
if the user forgets the PIN number or the password which 
he/she used to secure the encryption key, then it is no 
longer possible to use it to access the encrypted data. 

To be able to make encrypted data accessible again in the 
event the encryption key is lost, mechanisms are needed to 
enable the encryption key to be regenerated in a secure 
manner. For this purpose, the encryption key is typically 
generated nowadays at a trust center or trus tee or 
confidential, central location and securely stored. As a 
rule, the encryption key is produced by initially generating 
a large random number (seed) using a statistically valid 
random process. From this random number, the key pair made 
up of the public key/private key is then generated with the 
aid of a deterministic method. This seed is subsequently 
deleted. If necessary, a copy of his/her encryption key is 
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then delivered to the user for ;_use. 

In the process, the user does not have any influence on how 
his/her encryption key is generated and stored. Moreover, it 
is expensive to transport the generated encryption key to 
the user in a secure manner. As a transport medium, 
nowadays, one uses, for example, the above-mentioned smart 
card, which is sent to the user. "A". ; Further , [: e _'-;;v^~ 
' " * --' there is a danger of misuse of the stored key by 

the trust center, or one's own key becoming publicly known 
due to a malfunction ^ 4 r. :;o cc:*:*i:i.oc r - ?co<v.;ro 'by the 
trust center and/or in the procedure . 

^ ; SUMMARY OF THE INVENTION 

15 Exemplary embodiments of the present invention 7 Lh ' are 

directed to p- ov ' Ac 1 providing a method of the type 
mentioned at the outset which >.;\- * - yx?c *>.--: 

^ -r-r- '! cnod eusodvarr/acs. : n ri.'" ;<r, nc:::oc 

^ - o ; may leave it solely up to the user to decide 

20 whether ' u ; an encryption key should be reconstructed. 

- ^ : v ? w ; d: \!.e Exemplary embodiments of the present 

invention are further directed to el iminating a need for 

25 storing the encryption key for security purposes at the 

trust center _r;j y to c : r. : - ' by effecting that when the 

seed (S) is only generated on the user side, in that 
quantities (u) known only to the user are consulted; that 
regeneration information (R) , which is suitable for 

30 regenerating the seed and from which the seed is able to be 

derived determinis t ically by the trust center by linking 
only to (or con catena ting or combin ing with) information ( v ) 
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known to it, is generated on the user side and is stored so 
as to be secured against lost; and that, in the event of 
loss of encryption key (C) , seed (S) is reconstructed by the 
trust center by linking regeneration information (R) to 
5 secret information (v) . 

This may be implemented in j i : ;. [ exemplary embodiments, of 
the present invention in that a mathematical mapping (key 
agreement mapping) k: 
10 k(x,y)=z is provided, for which it holds that: 

a) k(k(u,v),w) = k(k(u,w),v) for all u,v,w; 

b) from the knowledge of u and k(u,v), in practice, one 
cannot infer v; 

c) from the knowledge of u, k(u,v) and k(u,w), in 
15 practice, one cannot infer k(k(u,w)v); 

that a public parameter g known to the trust center and a 
secret key v available at the trust center are linked to a 
public key V=k(g,v) of the trust center; 

that public key V and a random number u selected on the user 
20 side are linked on the user side to seed S=k(V,u); 

that a key pair made up of encryption key C and public user 
key U is derived from seed S on the user side using the 
predefined deterministic method; and 

that to render possible the reconstruction of this key pair 
25 U and C, regeneration information R=k(g,u) is generated on 

the user side and is stored so as to be protected against 
loss . 



30 



° In a further exempla ry emb odiment of the present 
inventi on, once regeneration information R is generated, 
random number u and seed S should again be destroyed for 
security reasons. Regeneration information R ^ may be 
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generated under tap-proof conditions, for example^ within 
the user-side computer terminal, so that there is no chance 
of random number u or of seed S falling into the hands of 
the public. Without knowledge of secret key v, regeneration 
information R, by itself, " 1 ? [ may not be suitable for 
deciphering messages and data and, therefore, does not need 
to be kept secret. 

Regeneration information R may be stored at any location' 
' .^for example^ on paper ? ^ and then when needed , be 
sent or transm itted over any tappable route : ' , for 
example, mail, e - .-mail, ; WW, v. www or internet , ftp, 
* etc - * to the trust center. 

15 Examples of suitable key agreement mappings k 

<r.ow ' include those available from the theory of numbers. 
Provision may be made, for example, for key agreement 
mapping k to be a discrete exponential function modulo a 
large prime number p: k(x,y):= x y modulo p, and for public 
parameter g to be an element of a mathematical field GF(p) 
of a high multiplicative power, or for key agreement mapping 
k to be the multiplication on an elliptic curve. In 
practice, in a further exempl ary embodiment of the present 
invention, one should select the order of magnitude of the 
25 numbers used such that, even by summoning up modern 

technical means, it ; is ■ may be impossible to calculate value 
y from values x and k(x,y), which, presupposing today's 
deciphering technology, is ensured at orders of magnitude of 
the prime numbers used of between 500 and 1000 bits. 



20 



30 



is: The reference "Cryptography and Network Security: 
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Principles and Practice", by William Stallings, Prentice 
Hal 1 , Upper Saddle River, New Jersey, 1998 , appears to 
discuss such formulations, including the Dif f ie-Hellman key 
exchange principle . 

5 

The present invention makes use of the Dif f ie-Hellman key 
exchange principle., : > ..l^owi;-'^ \Ch-.:*±oo<- ' r ^ 

rr: I .~ ^ d.-----: , hcwr^; , . Exem plary 

embodiments of the method of the present invention 
10 presupposes a trust center, which, if needed, is able to 

regenerate encryption key C with the aid of regeneration 
information R. 

In \-, " further exemplary embodiments of the present 
15 invention, to reconstruct encryption key C in the event of a 

loss, seed S=k(R,v) may be calculated by the trust center 
from regeneration information R. The lost encryption key C 
is, itself, able to be calculated from the thus 
reconstructed seed S using the deterministic method. 

20 

Due to the property of mapping k which is used, it holds 
that k(R,v) = k(k(g,u),v) = k(k(g,v),u) = k(V,u) = S, which 
actually corresponds, again, to original seed S. Since the 
deterministic method ; <ow_: , may be avail able to be 

25 known to the trust center, using regeneration information R, 

the trust center 1 j> ; can be able to readily reproduce 
encryption key C, even without knowledge of random number u. 
The regenerated encryption key C v\::s ' should then be 
relayed to the user over a tap-proof channel or route . 



30 



- 1 In a further exemp lary embodiment of the present 
invention, t o prevent the method of the present invention 
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from being misused to obtain private encryption keys C 
belonging to others, provision may also be made, once seed S 
is calculated and the user's new public key U and the new 
encryption key C are derived due to the loss of a key, for 
5 the trust center to verify whether the newly calculated 

public key U is identical to the user's original public key 
U, and for reconstructed encryption key C to only be handed 
over to the user when this verification is conclusive. A 
method for securely linking the user's identity to his/her 
10 public key U is ir'.r/ available bv ITU standard X.509. 

\ A further exemplary embodiment of the r;-; 
r:: — present invention is direc ted to providing for 

there to be a plurality of trust centers which employ key 
15 agreement mapping k and public parameter g. In generating 

encryption key C, one or more of these trust centers \\s may 
be selected, with the aid of each of the selected trust 
centers, another fraction value Sv of the seed being 
generated on the user side, as described, and partial seed 
20 Sv being linked on the user side to seed S. To regenerate 

encryption key C in the case of loss, the selected trust 
centers, may calculate their respective fraction value Sv of 
seed S using regeneration information R. To reconstruct 
encryption key C, the reconstructed fraction values Sv are 
25 linked, in combination with one another, to seed S. The 

procedure can prevent a trust center from misusing the 
method, since each trust center is able to generate only one 
partial seed Sv which, by itself, is unusable. 

30 '? A further embodiment of the r\*v ho;: 

r: ;^ ; .:,.j,present invention is directed to providing for the 
various trust centers to use different functions kv and/or 
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different public parameters gv, and for separate 
regeneration information Rv to be created for each of the 
selected trust centers. In such a case, the user must 
implement the method of the present invention for each trust 
5 center, and each trust center must generate its particular 

partial seed Sv using its specific regeneration information 
Rv. 

10 r-.r,;oc^ rui oy lov:m lia.rc.*- ir - 'i>-i-v;-q -i:.d axe 

: BRIEF DESCRIPTION OF THE DRAWINGS 
Figure 1 shows a flow chart for generating a key part 
15 specific to a user,; a:c.\ 

Figure 2 . shows a flow chart for reconstructing the 
encryption key, following a loss. 

20 :i c ^ v :o: respoi.c: r -j „ * >- ri - c ^/re 

DETAIL ED DES CRIPTION 
Figure 1 shows a time-related flow chart of the processes 
required for generating a reconstructable, user-specific 
25 encryption key C and public user key U in accordance with 

the method of the present invention. In the column denoted 
by N, the user-side data occurring one after another are 
listed from top to bottom. 0 designates the data 
transmission link to a trust center V. Trust center V and 
30 user N have public parameter g and large prime number p. 

Public key V = g v modulo p is generated by trust center V 
and transmitted by simple channels or means to user N. In 
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response thereto, the user, using a random number u that 
he/she selects, generates a seed S and regeneration 
information R and again erases random number u for security 
reasons. Regeneration information G is transmitted to trust 
5 center V. By applying a predefined deterministic method 

known to the user and the trust center, a public user key U, 
as well as a private, likewise user-specific encryption key 
C is generated from seed S. Encryption key C is used here 
for decrypting messages or data from the user. 

10 

In the case that the encryption key is lost, the trust 
center, as shown in Figure 2, regenerates seed S and 
encryption key C from regeneration information R, 
transmitted by the user to the trust center, by" ^linking 
15 to secret key v and communicates it by secure channels or 

other such means to the user. 
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ABSTRACT OF THE D ISCLOSURE 

A method for generating/regenerating an encryption key for a 
cryptographic method , including the encryption key , as 
well as a public key being generated using a predefined 
deterministic method , ^ from a large random number (seed) , 
where the seed is only generated on the user side, " : 
- and for which quantities ; <r.uw- . available only to the 

user are consulted. Regeneration information (R) , which is 
suitable for regenerating the seed and from which the seed 
is able to be derived deterministically by the trust center 
by linking only to information known to it, : may be 
generated on the user side and, stored so as to be 

secured against lost. In the event of loss of the encryption 
key, the seed ; ~ ' may be reconstructed by the trust center 
by linking the regeneration information to the secret 
information . 
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g v modulop — V=g v modulo p 

u 

S = (g v ) u modulo p 
det 

R = g u modulo p 



Fig. 1 
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R = g u modulo p ~R = g u modulo p 

S = R v modulo p 

C ■ „ _ _ c- — 

c Fig. 2 



ent by: .XENYON&KENYON 



212 558 8008; 





2345/172 



DECLARATION AND POWER OF ATTORNEY 



As a below named inventor, 1 hereby declare that: 



My residence, post office address and citizenship are as stated below next to 

my name. 



below) or an original, first and joint inventor (if plural names are listed below) of the subject 
matter which is claimed and for which a patent is sought on the invention entitled METHOD 
FOR GENERATING /REGENERATING AN ENCRYPTION KEY FOR A 
CRYPTOGRAPHIC METHOD xhe specification of which was filed as International 
Application No. PCT/EPOO/06387 on July 6 a 2000 and filed herewith as U.S. application for 
Letters Patent in the U.S. Patent and Trademark Office. 

1 hereby state that I have reviewed and understand the contents of the 
above-identified specification, including the claims. 

I acknowledge the duty to disclose information which is material to the 
examination of this application in accordance with Title 37, Code of Federal Regulations, 
§ 156(a). 



1 1 9 of any foreign application(s) for patent or inventor's certificate listed below and have also 
identified below any foreign application(s) for patent or inventor's certificate having a filing 
date before that of the application on which priority is claimed: 



1 believe t am the original, first and sole inventor (if only one name is listed 



1 hereby claim foreign priority benefits under Title 35, United States Code, § 
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And I hereby appoint Richard L. Mayer (Reg. No. 22,490), Gerard A. Messina 
(Reg. No. 35,952) and Linda M. Shady (Reg. No. 47,084) my attorneys* with full power of 
substitution and revocation, to prosecute this application and to transact ail business in the 
Patent and Trademark Office connected therewith - 

Please address ail communications regarding this application to: 

KEN YON & KliNYON 
One Broadway 
New York, New York 10004 

CUSTOMER NO. 26646 

Please direct all telephone calls to Richard L, Mayer at (212) 425-7200. 



I hereby declare thai all statements made herein of my own knowledge are true 
and that ail statements made on information and belief are believed to be true; and further that 
these statements were made with the knowledge that willful false statements and the like so 
made are punishable by fine or imprisonment, or both, under Section 1001 of Title 18 of the 
United States Code and that such willful and false statements may jeopardize the validity of 
the application or any patent issued thereon. 
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